The recent emergence of powerful open-source AI models like DeepSeek has sent many enterprises scrambling to block access per their security policies. While AI teams increasingly turn to open repositories to leverage free and highly capable models like DeepSeek, security teams face mounting pressure to prevent unrestricted downloading of artifacts from untrusted sources. The bottom line is clear: organizations deeply care about trust in their AI Supply Chain.

That's why we're especially pleased to announce that, beginning immediately, all existing users of Cisco Secure Endpoint and Email Threat Protection are protected against malicious AI Supply Chain artifacts, whether downloaded directly from the Hugging Face open-source repository, shared via email, or downloaded from a shared drive.

Understanding AI Supply Chain Security

At Cisco, we've observed firsthand that while organizations worry about various AI security concerns like prompt injections and jailbreaks, their security instincts first react to risks in the AI Supply Chain. ML teams face a critical challenge: security teams often completely block access to platforms like Hugging Face, preventing the use of open-source models. This creates a difficult tension -the rapid pace of open-source innovation means teams risk falling behind if they can't access these models, yet security teams' concerns about harmful models causing widespread organizational issues are equally valid.

AI Supply Chain Security encompasses the practices and measures designed to protect enterprises and applications throughout the AI development and deployment process. This includes securing software stacks, training data, and third-party models against vulnerabilities and attack vectors such as software flaws, deserialization issues, architectural backdoors, and data/model poisoning.

"Securing the AI supply chain is more than a technical necessity, it's the foundation of trust in technology. Organizations worldwide are increasingly recognizing that supply chain security is foundational to protect both AI applications and traditional systems from vulnerabilities inherited at every stage of development and in production. At Cisco, we are committed to leading this charge by equipping our customers with advanced protections against these emerging threats, ensuring that innovation does not come at the expense of security."

Omar Santos, Distinguished Engineer, Security & Trust at Cisco and Co-Chair of the Coalition for Secure AI

The three pillars of AI Supply Chain Security

1. Software Security

The software component of AI supply chain security addresses several critical areas:

• Software library vulnerabilities that can compromise system integrity
• Untrusted repositories, including maliciously configured repositories on platforms like Hugging Face
• Framework vulnerabilities, such as those found in popular tools like Langchain

2. Model Security

Models present unique security challenges, including:

• Embedded malware within model files
• Dependencies with known vulnerabilities (e.g., zlib.decompress)
• Architectural backdoors (e.g., in Lambda layers)
• Backdoors embedded in model weights
• Models whose behavioral properties violate company policies or security standards

3. Data Security

The data aspect of AI supply chain security focuses on:

• Potential poisoning during training processes
• Data and model provenance liability in the lineage of models or datasets
• Licensing and compliance issues related to models, or inherited from parent models and training data

Current cross-industry challenges

Organizations face several pressing challenges in securing their AI supply chain:

• Security teams cannot rely on manual model scanning or verification processes
• Model vulnerabilities can impact both application security and compromise enterprise security posture through arbitrary code execution or backdoors
• Current security processes often impede innovation and development speed

"Open-source repositories like Huggingface are a particularly interesting quandary because we need access to validate models we are working with, but it is also an uncontrolled repo of potentially malicious models. It is a strategic imperative to allow access, but also a security imperative to block the use of malicious models."

Sarah Winslow, Director | PSEC Emerging Technologies & AI, Veradigm| PSEC Emerging Technologies & AI, Veradigm

Introducing Secure Endpoint AI Supply Chain Protection

We're excited to announce that all existing Cisco Secure Endpoint customers now receive automatic protection against malicious AI Supply Chain artifacts sourced from Hugging Face. No additional configuration is required. The solution offers:

• Automatic blocking of known malicious files during read/write/modify operations
• Protection against multiple threat vectors, including direct downloads and side-channel delivery (e.g., ZIP file through shared drive)
• Configurable alert or quarantine capabilities

In addition, Cisco Email Threat Detection has been upgraded to automatically block email attachments containing malicious AI Supply Chain Security artifacts as attachments.

The upgraded capabilities specifically protects against five critical threats:

• Code Execution Vulnerabilities
• System Command Execution Vulnerabilities
• Networking and Remote Execution Vulnerabilities
• Serialization and Deserialization Vulnerabilities
• Web Interaction and User Interface Manipulation

Cisco AI Threat Intelligence + Advanced Malware Protection

Now a part of Cisco, threat intelligence from our AI Security Threat Research team now informs Malware Defense (previously known as Advanced Malware Protection or AMP). Malware Defense has long benefitted from world class threat research and intelligence feeds from Cisco Talos.

Security threats in machine learning models and data formats has been studied and reported on by Robust Intelligence (now a Cisco Company) since 2021, where we were early to establish an AI Security Threat Research Team and subsequent intelligence services. In 2023, we released AI Risk Database as an AI Supply Chain investigation tool, and enhanced it and released it as an open source project on GitHub in partnership with MITRE, under the broader set of MITRE ATLAS tools.

Looking ahead

This is just the beginning of our commitment to AI supply chain security. There's so much more to come to protect developers of AI systems against supply chain risk. As AI continues to evolve and integrate into enterprise systems, securing the AI supply chain becomes increasingly critical. Organizations need not sacrifice security for innovation with Cisco AI Security offerings.

We'd love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!